Re: sets and groupOfNames groups

[Pierangelo Masarati <ando@sys-net.it>]

Andreas Hasenack wrote:

> Now I want to be able to use nested groups, so I follow the FAQ and do a
> test with sets:
> 
> access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
>  attrs=children,entry,@sudoRole
>  by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*"
> write
>  by * read
> 
> Without changing anything in the sudo admins group entry, suddenly I can
> create new entries under ou=sudoers as any authenticated user. That is,
> the group still only has the "uid=sudo admin" member, but I can add a
> new sudo entry as another user:

That's because sets grant permission as soon as the result of their
evaluation is a non-empty set, and yours will always be non-empty.

You need to check whether the intersection between the nested group
expansion and the user is not empty.  Something like [any newlines added
by the mailer]:

by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* &
user" write

should work.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------